Solved: Re: DMVPN per VRF Lite

Yiwei · ‎10-11-2019

Hi,

I am running my DMVPN LAB in GNS3.

R1 is DMVPN HUB, R3 and R4 are DMVPN Spoke with VRF isp1 enabled in WAN interface (Gi0/0).

The syntax seems correct I can ping the tunnel IP address and enable OSPF in the DMVPN tunnel.

But I still confuse with few concepts.

1.R3 and R4 have VRF in the Gi0/0 but it seems like I only have to have "ip vrf forwarding isp1" in tunnel 0. I only enable "tunnel vrf isp1". What different from these two commands

2.

When I ping the loopback IP address of R1 from R3 or R4, I don't have to do "ping 1.1.1.1" instead of "ping vrf isp1 1.1.1.1" I am guessing this is because they installed the tunnel's IP address in the default routing table instead of VRF routing table. Is that correct?

3. How do I install all routing information of DMVPN in the vrf isp1? I mean I want all routing information appears in "show ip ro vrf isp1" instead of "show ip ro"

R1:
interface Loopback0
ip address 1.1.1.1 255.255.255.255

interface Tunnel0
ip address 10.1.1.1 255.255.255.0
no ip redirects
ip nhrp authentication MYPASSWORD
ip nhrp map multicast dynamic
ip nhrp network-id 134
ip ospf network broadcast
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint

router ospf 1
network 1.1.1.1 0.0.0.0 area 0
network 10.1.1.0 0.0.0.255 area 0

ip route 0.0.0.0 0.0.0.0 192.168.12.2

R3:

interface GigabitEthernet0/0
ip vrf forwarding isp1
ip address 192.168.23.3 255.255.255.0

interface Loopback0
ip address 3.3.3.3 255.255.255.255

interface Tunnel0
ip address 10.1.1.3 255.255.255.0
no ip redirects
ip nhrp authentication MYPASSWORD
ip nhrp map 10.1.1.1 192.168.12.1
ip nhrp map multicast 192.168.12.1
ip nhrp network-id 134
ip nhrp nhs 10.1.1.1
ip ospf network broadcast
ip ospf priority 0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel vrf isp1

router ospf 1
network 3.3.3.3 0.0.0.0 area 0
network 10.1.1.0 0.0.0.255 area 0

ip route vrf isp1 0.0.0.0 0.0.0.0 192.168.23.2

R4:

interface GigabitEthernet0/0
ip vrf forwarding isp1
ip address 192.168.24.4 255.255.255.0

interface Loopback0
ip address 4.4.4.4 255.255.255.255

interface Tunnel0
ip address 10.1.1.4 255.255.255.0
no ip redirects
ip nhrp authentication MYPASSWORD
ip nhrp map 10.1.1.1 192.168.12.1
ip nhrp map multicast 192.168.12.1
ip nhrp network-id 134
ip nhrp nhs 10.1.1.1
ip ospf network broadcast
ip ospf priority 0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel vrf isp1

router ospf 1
network 4.4.4.4 0.0.0.0 area 0
network 10.1.1.0 0.0.0.255 area 0

ip route vrf isp1 0.0.0.0 0.0.0.0 192.168.24.2

THanks,

Rob Ingram · ‎10-11-2019

Hi,
You've basically put the wan interface (Gi0/0) in a VRF called isp1, which is the vrf in which the tunnel is established. By not putting the Tunnel interface in a vrf, it is therefore in the global routing table.

You wouldn't want to have all interfaces in the isp1 vrf as that defeats the objective of separate routing tables, it's essentially like not defining vrf and just using the global routing table.

It is common to have the wan interface in a Frontdoor VRF (as you've currently configured it) and then leave the tunnel interface in the global routing table.

HTH

View solution in original post

Deepak Kumar · ‎10-11-2019

Hi,

1.R3 and R4 have VRF in the Gi0/0 but it seems like I don't have to have "ip vrf forwarding isp1" in tunnel 0. I only enable "tunnel vrf isp1". What different from these two commands

"ip vrf forwarding isp1: This command means Your tunnel interface is in the VRF isp1

tunnel vrf isp1: This command means tunnel source and destination is in the VRF isp1

When I ping the loopback IP address of R1 from R3 or R4, I don't have to do "ping 1.1.1.1" instead of "ping vrf isp1 1.1.1.1" I am guessing this is because they installed the tunnel's IP address in the default routing table instead of VRF routing table. Is that correct?

Your loopback tunnel in the default routing table on Spoke routers and also learning R1 loopback in default routing table using the OSPF. So it should reachable in default routing table using the "ping 1.1.1.1" command from the spoke.

How do I install all routing information of DMVPN in the vrf isp1? I mean I want all routing information appears in "show ip ro vrf isp1" instead of "show ip ro"

Make some changes in the routing and tunnel configuration on the spoke routers as

interface Tunnel0

ip vrf forwarding isp1

ip address 10.1.1.3 255.255.255.0
no ip redirects
ip nhrp authentication MYPASSWORD
ip nhrp map 10.1.1.1 192.168.12.1
ip nhrp map multicast 192.168.12.1
ip nhrp network-id 134
ip nhrp nhs 10.1.1.1
ip ospf network broadcast
ip ospf priority 0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel vrf isp1

!

router ospf 1 vrf isp1
network 3.3.3.3 0.0.0.0 area 0
network 10.1.1.0 0.0.0.255 area 0

!

interface Loopback0

ip vrf forwarding isp1
ip address 4.4.4.4 255.255.255.255

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

Rob Ingram · ‎10-11-2019

Hi,
You've basically put the wan interface (Gi0/0) in a VRF called isp1, which is the vrf in which the tunnel is established. By not putting the Tunnel interface in a vrf, it is therefore in the global routing table.

You wouldn't want to have all interfaces in the isp1 vrf as that defeats the objective of separate routing tables, it's essentially like not defining vrf and just using the global routing table.

It is common to have the wan interface in a Frontdoor VRF (as you've currently configured it) and then leave the tunnel interface in the global routing table.

HTH

Yiwei · ‎10-13-2019

Thank you so much!

Deepak Kumar · ‎10-11-2019

Hi,

1.R3 and R4 have VRF in the Gi0/0 but it seems like I don't have to have "ip vrf forwarding isp1" in tunnel 0. I only enable "tunnel vrf isp1". What different from these two commands

"ip vrf forwarding isp1: This command means Your tunnel interface is in the VRF isp1

tunnel vrf isp1: This command means tunnel source and destination is in the VRF isp1

When I ping the loopback IP address of R1 from R3 or R4, I don't have to do "ping 1.1.1.1" instead of "ping vrf isp1 1.1.1.1" I am guessing this is because they installed the tunnel's IP address in the default routing table instead of VRF routing table. Is that correct?

Your loopback tunnel in the default routing table on Spoke routers and also learning R1 loopback in default routing table using the OSPF. So it should reachable in default routing table using the "ping 1.1.1.1" command from the spoke.

How do I install all routing information of DMVPN in the vrf isp1? I mean I want all routing information appears in "show ip ro vrf isp1" instead of "show ip ro"

Make some changes in the routing and tunnel configuration on the spoke routers as

interface Tunnel0

ip vrf forwarding isp1

ip address 10.1.1.3 255.255.255.0
no ip redirects
ip nhrp authentication MYPASSWORD
ip nhrp map 10.1.1.1 192.168.12.1
ip nhrp map multicast 192.168.12.1
ip nhrp network-id 134
ip nhrp nhs 10.1.1.1
ip ospf network broadcast
ip ospf priority 0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel vrf isp1

!

router ospf 1 vrf isp1
network 3.3.3.3 0.0.0.0 area 0
network 10.1.1.0 0.0.0.255 area 0

!

interface Loopback0

ip vrf forwarding isp1
ip address 4.4.4.4 255.255.255.255

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Yiwei · ‎10-13-2019

Thanks a lot!